I won’t go into detail about the new Microsoft vulnerability…you all know it’s pretty serious and there are a ton of blogs and websites talking about the dirty details. Hopefully you have all read about it and are getting the word out about patching. However, there are some updates on the status of currently available exploits for the vulnerability that I found interesting.

Public exploit code?
Yesterday Microsoft posted this update to their blog on the MSRC. Microsoft says that there is currently no public exploit code available. The code mentioned that causes a denial of service attack was the code posted on Milw0rm I believe. The only working code released was from Immunity CANVAS and Core Impact if you are a paying customer. Core Impact does mention that the exploit is in early release and may contain bugs or limited functionality (not 100% reliable).

Gimmiv.A – Is it a worm or a trojan?
Don’t let the thought cross your mind that you can perhaps delay patching your systems because public exploit code is not working/available! You still need to patch as there is malware that is currently out in the wild (Gimmiv.A) being used in “targeted” attacks. Whether or not this is a trojan or a worm is up for debate. Microsoft says this is not a worm but a trojan. However, other researchers are saying that this is worm because of the way it attacks other hosts on a network via RPC. I guess you could call it a “network-aware” trojan as ThreatExpert mentions. Either way, malware authors are most likely developing more powerful payloads as I write this.

As a final reminder we all know based on past history with RPC vulnerabilities…reliable public exploit code will be out before you know it! Make sure you take your patching seriously…

I tested Gimmiv.A in my lab and it did show worm-like behaviors however did not exploit another test victim on the same network. Looking at some of the code and strings there are definitely worm-like features that either arent turned on in the variant I tested or not working…yet.